In this enlightening podcast, Brandon Gettert delves into the crucial interplay between leadership and cybersecurity. His journey from a tech enthusiast to a cybersecurity expert underscores the essence of adaptive leadership in today’s fast-evolving digital landscape.

Gettert emphasizes the importance of proactive measures, advocating for a robust cybersecurity framework to pre-empt potential threats. His narrative is a testament to the pivotal role of leadership in fostering a culture of resilience and strategic foresight within organizations. The discussion extends beyond technicalities, exploring how personal growth and family values intertwine with professional excellence, illustrating that true leadership transcends the confines of the workplace.

Want to learn more about Brandon Gettert's work? Check out their website at https://curatedcyber.com.

Connect with Brandon Gettert on LinkedIn at https://www.linkedin.com/in/brandon-gettert-a61065128.

 

Key Points with Time Stamps:

  • 00:00:30 - Introduction to the podcast theme and guest Brandon Gettert.
  • 00:01:23 - Brandon’s approach to cybersecurity and its significance in business.
  • 00:02:12 - Emphasis on cybersecurity awareness and actionable steps.
  • 00:11:03 - Discussion on the integration of leadership skills and cybersecurity expertise.
  • 00:19:15 - Exploring the widespread impact of cybersecurity threats on businesses of all sizes.
  • 00:26:05 - The importance of preparing and conducting cybersecurity exercises.
  • 00:33:24 - The critical role of cybersecurity insurance and preparedness in modern business.
  • 00:39:30 - Final thoughts on the importance of cybersecurity awareness and leadership.

Transcript

00;00;00;00 - 00;00;30;20
Craig Andrews
I was in a coma for six weeks while the doctors told my wife I was going to die. When I woke up, she told me the most fantastic story. My team kept running the business without me. Freelancers reached out to my team and said, we will do whatever it takes. As long as Craig's in the hospital. I consider that the greatest accomplishment of my career.

00;00;30;23 - 00;00;51;10
Craig Andrews
My name is Craig Andrews and this is the Leaders and Legacies podcast where we talk to leaders creating an impact beyond themselves. At the end of today's interview, I'll tell you how you can be the next leader featured on the show.

00;00;51;12 - 00;01;22;28
Craig Andrews
Today I want to welcome Brandon Gettert. He is the CEO and CISO. We're going to figure out what that acronym means at Curated Cyber. Brandon's mission is clear. Makes cybersecurity understandable and repeatable. I love that repeat something very important for a business. Anything you do, it has to be repeatable. So I'm looking forward to learn about that. He assist clients in implementing the CIA triad.

00;01;23;01 - 00;01;53;19
Craig Andrews
boy, that sounds like some weird gang, Hong Kong, but apparently it means confidentiality, integrity, and availability at the core of their operations, starting with a comprehensive risk assessment. He can create policies, manage vendors, and design business continuity plans. He can also stress test these plans through roundtable exercises, identifying and addressing potential pain points. So I'm looking forward to this conversation.

00;01;53;24 - 00;02;12;25
Craig Andrews
I my thought is, for those that are listening, there are a lot of people that know cybersecurity is important but take no action. So if you were to listen in any time, I think today's a day to listen in and figure out what you're going to do. So with that, Brandon, welcome.

00;02;12;27 - 00;02;16;01
Brandon Gettert
I'm so glad to be here. Craig, this is great. I'm excited.

00;02;16;03 - 00;02;24;25
Craig Andrews
So, you know, we didn't talk about this, but you, I think we're we're both in Texas. You're up in Arlington?

00;02;24;28 - 00;02;25;22
Brandon Gettert
Yes, sir.

00;02;25;25 - 00;02;27;22
Craig Andrews
Yeah, that's where my wife is from.

00;02;27;25 - 00;02;28;24
Brandon Gettert
Oh.

00;02;28;26 - 00;02;49;11
Craig Andrews
Yeah. So make it up there frequently. And I'm down here in Austin and, but the, something you mentioned, and this is kind of interesting because, I don't know if I would've associated this with your profession. You're a competitive foosball player.

00;02;49;13 - 00;03;12;27
Brandon Gettert
So when I told you that earlier, it's. I play competitively. I don't, like, compete on tour. There's a whole underground with this. So I'm not a ranked player in any way. But I do play competitive, and I love it. I'm thinking about it right now in the back of my brain. Right now, I'm thinking about what I'm going to practice on today to enhance that craft, to better that game.

00;03;12;29 - 00;03;18;08
Brandon Gettert
It's it's a discipline. Some people have golf. I have foosball.

00;03;18;11 - 00;03;21;11
Craig Andrews
Where where do you go to play foosball?

00;03;21;13 - 00;03;41;13
Brandon Gettert
So fortunately, the DFW area, we have a pretty big foosball community here. Yeah. And so there's it's there if you know where to go, look for it. Bars. I play with friends. I have a group of friends. I play with a bunch of really cautious when I say this. I play with a bunch of older gentleman that are they're really retired, so they have a lot.

00;03;41;13 - 00;03;52;17
Brandon Gettert
The kids are grown. They have a lot of free time. But we get together on weekends and play and I don't play every weekend. I got young kids, so very cool. Yeah.

00;03;52;19 - 00;03;58;13
Craig Andrews
And apparently you like to jam out while you're playing foosball.

00;03;58;15 - 00;04;12;03
Brandon Gettert
So I like two things. Well, my wife, my kids love them the nth degree, but I love playing foosball. And I love 90s music. And I love listening to 90s music while I play foosball.

00;04;12;05 - 00;04;14;16
Craig Andrews
So who's your favorite 90s band?

00;04;14;23 - 00;04;29;04
Brandon Gettert
Oh, loaded. Quite a good question. I like offspring, Oasis, Korn, Nine Inch Nails, tool. Not really 90s, but they kind of fall into that category in some ways. Alice in Chains, Soundgarden.

00;04;29;07 - 00;04;53;05
Craig Andrews
That's a that's some variety. It's an interesting variety. And, and we'll jump to cyber security here real quick. But you're right, the Offspring, it's really interesting that it's, you know, highly successful punk band. And if you listen to their lyrics, it's lyrics that you almost want your kids to listen to.

00;04;53;08 - 00;04;58;06
Brandon Gettert
Oh, so many thoughts around that. Give me, give me one of the lyrics.

00;04;58;09 - 00;05;00;19
Craig Andrews
So how about the kids aren't all right?

00;05;00;22 - 00;05;01;06
Brandon Gettert
Okay. That's

00;05;01;12 - 00;05;06;04
Brandon Gettert
Yeah. You know what? I'm going to have my kids listen to some offspring today.

00;05;06;06 - 00;05;39;21
Craig Andrews
Well, it's it's it's really interesting. Probably some. I heard somebody explain it once. They said, you know, punk is countercultural and The offspring, their counterculture, the, you know, they put out songs like Get a Job and, Self Esteem, which is, you know, mocking the, again, pointing out the fallacies of the hookup culture and the kids aren't all right, which talks about, how a lot of promising lives are being destroyed, you know, by just poor choices.

00;05;39;23 - 00;05;48;10
Brandon Gettert
And I, I got to admit, you went a lot deeper there with The offspring lyrics than I ever have. And I love offspring, but I've never digested it.

00;05;48;12 - 00;06;00;21
Craig Andrews
Yeah, well, it there's, you know, I know somebody recently who died of an overdose and so it's almost daily the, the kids aren't all right have been playing through my mind just thinking.

00;06;00;21 - 00;06;03;10
Brandon Gettert
Man, I hate hearing that. I'm sorry to hear that.

00;06;03;13 - 00;06;05;11
Craig Andrews
well, yeah. Thank you.

00;06;05;11 - 00;06;24;28
Brandon Gettert
So I was out with some clients, and we were going to a ranch to shoot guns. And his wife, I was, I was we were driving and we were chatting, and she's like, we were talking about music in 90s music. And in this conversation on repeat, she's like, when you listen to a lot of those 90 songs, that music is just so sad.

00;06;25;03 - 00;06;45;10
Brandon Gettert
There's so much sadness in all those songs and I like I've listened to it my entire life, like, I don't, I really don't venture out and new music. I just listen to the same stuff on repeat, and I think I'm numb and desensitized to all the words next. I don't even really know what's going on. And since she made that comment, I've really been listening to the words more.

00;06;45;10 - 00;06;51;04
Brandon Gettert
Now that you mentioned that about offspring, I'm going to do the same thing and I'm going to listen to those words a little bit more.

00;06;51;07 - 00;07;20;16
Craig Andrews
Yeah. it's I think you're in for a surprise. So let's let's start moving towards cybersecurity. And I think one of the most surprising things you told me was not about foosball, not about the 90s music. It's about your career that led to cyber. And I just can't connect the dots with what were you doing before you were doing cyber?

00;07;20;18 - 00;07;40;28
Brandon Gettert
So I have a very interesting past and so I long I'm gonna I'm gonna give you the real long story, but I'm gonna give you the short version. Let me give you a longer, a bit real short version. I got I was a cook at a bar, and I had, like, no direction. And I was like, this is great.

00;07;40;28 - 00;08;01;01
Brandon Gettert
I love this life. This was back in college, and the girl I was dating at the time, her ex-boyfriend was in technology. So I'm like, oh, I'm gonna get into technology. So that started it. That was a whole reason I even got into technology. And so I went and started taking classes, and I got a job in technology and did that for a long time.

00;08;01;01 - 00;08;29;14
Brandon Gettert
I was a Linux administrator for seven years. Several years I was a SQL, my MySQL database administrator. That evolved into web development, that web, then that developed, that moved to software development, and then I had burnout, and then I got out of it altogether. And this was after this was post-college. You build this career. I was 30 years old, and then I became a truck driver.

00;08;29;16 - 00;08;52;00
Brandon Gettert
And I hold livestock over the road. And I went with my dad. My dad was an Over-The-Road truck driver. So I hopped in with him, got my CDL and started going with my own truck, got real big. It's a very unhealthy lifestyle. And so I did that for about three years and then got out of that, and then I got a job at a at a bank.

00;08;52;00 - 00;09;12;22
Brandon Gettert
They needed a IT guy. For some it worked. So I started doing contracting work and it was just a real random thing. so I started coming in, I cleaned up their windows administration. So it's just a windows or I was a windows administrator. That's what they brought me on for. And then it became project manager, and then it became really the unofficial perfect middle managers.

00;09;12;22 - 00;09;34;01
Brandon Gettert
What? I was there the entire time. I was never the CTO. I was never anything like that at all. I did that for several years and we had a exam come in because banks live under governance and regulation, and they brought in and it or they, they recommended that we have an audit done an IT audit on our controls.

00;09;34;04 - 00;09;56;22
Brandon Gettert
And so these auditors came in and I was enamored with that job. That was the job I wanted. And from that day forward I managed the auditors, I managed all that. And I still worked at this bank for several years after that. And then I got out of that career out of the bank. And it was if we take a little detour and how this career worked out, I wanted to go be that guy.

00;09;56;23 - 00;10;19;01
Brandon Gettert
Those guys so bad. I want to be an IT auditor. And long story short, when I left the bank, which that's a whole other conversation in itself. Merger, acquisition, one of those things where sometimes God makes things so uncomfortable that you're forced out. In some ways, I was I was in that position like, I didn't want to leave.

00;10;19;01 - 00;10;37;19
Brandon Gettert
I didn't want to go anywhere. I even I didn't think I was good enough to go anywhere like, that was a whole whole thing. And but man, the provisions that were put in place for me there because it, I went to that auditing company that came in seven years prior. I want to come work with you guys. And they're like, great, we have a spot for you.

00;10;37;19 - 00;11;03;17
Brandon Gettert
But not on the audit side. It's on the virtual information search security side. Are you interested? And I'm like, I'll take anything right now. I'm desperate. I just I got to do something else. And my now business partner, I met him there and he what he created, I perfected. And so we got a really smooth like operation now and so but just that's how I got to where I'm at now is all those doors like it just the way things lined up.

00;11;03;21 - 00;11;21;02
Brandon Gettert
And to do the fractional information security work like we do, you have to know Linux, you have to know windows, you have to know programing, you have to speak that language and you have to know how to soft skills. Got to know how to talk to the board. There's so many skills that were drafted up with every job that I ever had to get to here.

00;11;21;02 - 00;11;41;24
Brandon Gettert
Like when you look back on that run, it's like, oh my gosh, this couldn't have aligned more perfectly for me. Like, thank you Lord for putting me in those positions, making me uncomfortable enough to force me to move when I didn't want to move. But you also had other plans. So that's how I got to here.

00;11;41;26 - 00;11;52;17
Craig Andrews
Is it's an amazing journey. It's, it's and I didn't realize at the time that you'd started off and it got burned out and then eventually came back to it.

00;11;52;20 - 00;12;26;02
Brandon Gettert
And there's some wisdom there as well. I'm very hypersensitive to burnout because I'm not a real high capacity person. But when you run a business, you're running it high capacity. And when you have boys, two kids, young kids, you're running at high capacity and it's, it's a balancing act, figuring out, okay, I got to manage my resources because one of the things I'm really working on proactively right now is running a business is easy compared to turning work off, because I could work all day long.

00;12;26;04 - 00;12;33;04
Brandon Gettert
Turning work off and engaging with my boys like that is something that I proactively work on.

00;12;33;07 - 00;12;34;01
Craig Andrews
Every other year.

00;12;34;02 - 00;12;52;01
Brandon Gettert
Boys were three and five, but we're going to be four and six next month, so let's call it forward six. Wow. I had kids a little later in life. I was I was 40 when I started having kids. Yeah, I was missing that piece all my whole life. So.

00;12;52;04 - 00;12;58;28
Craig Andrews
Well, you know, I, I and I think, you know, as we're talking about leadership, that's.

00;12;59;01 - 00;13;04;14
Craig Andrews
I think if you lead well in the office but poorly at home, I don't think that makes you a good leader.

00;13;04;16 - 00;13;26;05
Brandon Gettert
Oh, you you couldn't have it better. So I'm gonna I'm gonna give my wife a big plug. She is. I am the best version of myself I can be because of her. And she has brought up some. We were coming back from a client side, so I take her with me a lot of times. Well, this was. We have one in particular client.

00;13;26;05 - 00;13;44;12
Brandon Gettert
We get invited to Christmas party. So we get we go to that. We were coming back and this is become less now that we have young kids. But it was a she was very intentional about having a conversation about why don't you run the family the way you run your business. I was like, whoa, that is a really good, astute observation.

00;13;44;12 - 00;14;05;14
Brandon Gettert
She goes, yeah, because like strategic planning and road mapping, she goes, you do all that so well for your clients, do that here. And so this year was actually the first year that we rolled that out. And so I thought about it for about six months. I was like, how do I do that for my family? And it's it's it takes work.

00;14;05;14 - 00;14;25;12
Brandon Gettert
It's a skill set. But there's certain roadmaps and milestones that I want my boys to be at. I want I want to pour into their hearts and encourage them and build courage and build strength and build all that. I want them to know those things. I have to roadmap that out. And so this year I have five things on that roadmap where I want these boys to be here at the end of this year.

00;14;25;12 - 00;14;44;25
Brandon Gettert
And so I got to put that on the calendar, and I got a I'm got to make that happen. And so we this sounds so. I run my family the way I run a business. And I say that because I've read a lot of business books, but we run off, we run a traction business. And so we have ideas, identify, discuss and solve.

00;14;44;27 - 00;15;04;13
Brandon Gettert
And so my wife, we use that verbiage. It's not that I run my wife or my, my house like a business, but we speak that language because that's the language that we speak in business to. Hey, we've identified something, let's discuss that. Let's solve that. And the strategic planning. Like every year I have strategic planning and road mapping that we have with all my clients.

00;15;04;20 - 00;15;21;25
Brandon Gettert
It's okay. We need to get here. So with my boys, there's certain things I want them to know, like swimming is one. We're struggling with swimming. So I got to proactively we're going to start going swimming every week. So but that's got to be on the calendar. Just won't happen or I just won't do it. Because by the time I get to Friday, I'm burned out.

00;15;21;25 - 00;15;26;02
Brandon Gettert
I'm tired. That's the last thing I want to do is go swimming.

00;15;26;04 - 00;15;27;07
Craig Andrews
So,

00;15;27;10 - 00;15;52;06
Brandon Gettert
But I want them to know that there's several things, that, that I'm working on with them. Swimming just happens to be the one at the top. I want them to know the Lord. I'm figuring out how to navigate those waters myself, with having conversations at the dinner table and engaging at the dinner table. Because a lot of times, at the end of the day, it to right takes brainpower to have conversation, takes brainpower.

00;15;52;06 - 00;16;07;14
Brandon Gettert
To lead these clients to success, takes brainpower. By the time I get to that 5:00 and I'm checking out for the day, it's really hard to. Okay, I got to shift gears over here, and now I got to engage in this, so it's so worth it, you.

00;16;07;17 - 00;16;29;00
Craig Andrews
Know, and I commend that. You know, the my dad ran a business and he was always, always very busy. But the one sacred time of day was dinner time. And when we were having dinner, there were no phones answered. And, you know, this is before we even had answering machines over. The phone rang and you didn't answer.

00;16;29;00 - 00;16;30;10
Craig Andrews
There wasn't a machine to pick up.

00;16;30;15 - 00;16;31;05
Brandon Gettert
Yeah.

00;16;31;07 - 00;16;56;26
Craig Andrews
And, and dinner usually lasted about an hour to an hour and a half. And he, he would lead us in discussions about all sorts of things. And just incredibly, incredibly valuable time, something I, you know, I look back at as probably one of his biggest successes in raising us. And so I just want to commend you for doing that with your boys.

00;16;56;28 - 00;17;11;25
Brandon Gettert
Yeah. It's yeah. Thank you for that I appreciate that. It's it's a work in progress. I, I fortunately had really good parents like my dad. That's one of the goals that I want for my boys. I want them to want to come home after they launch.

00;17;11;27 - 00;17;37;07
Craig Andrews
Yeah. Yeah. So, the other thing, before we move on, talk a little bit more about cyber. You know, in in the green room, I asked you if there was anything off limits, and you said, I don't want to talk politics. And I was like, fair enough. We're not a political show anyway. But here's a strongly held belief I have this.

00;17;37;09 - 00;17;54;18
Craig Andrews
If you wouldn't change the trajectory of America, you will do so far more effectively by investing in your kids, by being a father in the home, than anything you do in the ballot box.

00;17;54;20 - 00;17;59;19
Brandon Gettert
100% 100%.

00;17;59;21 - 00;18;27;20
Craig Andrews
Yeah. And I think a lot of the challenges that we're facing as a nation, if we added, if we could just go across the board and wave a wand and put dads in the homes of every, every boy, every girl in this country who's not only in the home but actively involved raising their kids, a lot of the political discussions we'd be we're having would go away.

00;18;27;22 - 00;18;38;27
Brandon Gettert
Could not agree more. I'm with you. Yeah. There's a but absentee dads is a it's a problem.

00;18;38;29 - 00;18;44;29
Craig Andrews
Yeah. Yeah. Well kudos to you for being part of the solution.

00;18;45;01 - 00;18;50;08
Brandon Gettert
Every day every I work on it every day. It's, every day.

00;18;50;10 - 00;19;15;07
Craig Andrews
So let's talk a little bit about cyber because, you know, that's it's interesting. It's it's something everybody's aware of. But my perception is it's something very few are actively doing anything about. They. And unless you're, you know, unless you're in a regulated industry and, you know, you have regulators coming in to see what your cyber security plan is, it's a threat to everybody.

00;19;15;07 - 00;19;23;10
Craig Andrews
And people think it's an issue of large businesses. No. The biggest, you know, the vast majority of cyber attacks had small businesses.

00;19;23;13 - 00;19;24;06
Brandon Gettert
Yeah.

00;19;24;08 - 00;19;28;06
Craig Andrews
And people do nothing. What do you think the cause of that is?

00;19;28;09 - 00;19;47;15
Brandon Gettert
I think the cause is there's this misconception that it will never happen to me like, oh, that's I don't know what happened to me. That's some they're not going for my little business. They're not looking for me either. That's somebody else. So I think it all stems from that. The other one is I think it's miscommunication and it's miscommunication.

00;19;47;15 - 00;20;18;09
Brandon Gettert
A lot of, I got to dance delicately here. I don't want to call out any names, but a lot of times it's. Well, that's the IT guy's problem that my i.t guys taking care of that. And once again, just miscommunication. Like I get brought in, I'll several times I'll get brought in and the IT guy and the, the CTO chief technology officer, he's also the CSO which is chief information security officer.

00;20;18;12 - 00;20;43;04
Brandon Gettert
Very different initiatives, very different directives. We mentioned at the beginning that confidentiality and integrity triad, if you have one, it's triangle confidentiality, integrity and availability. And if you lean one way too much the other to suffer. And the goal is let's just meet the middle. Like that's a great spot to be like, I'm never going to guarantee that you're going to be 100% secure.

00;20;43;06 - 00;21;07;19
Brandon Gettert
But let's just do best practice and get basic cybersecurity hygiene in place. And this is my opinion only you do basic hygiene. There's a 90% chance you're not going to get breached only because the bad guys are looking for the easy and they're going to oh, they got MFA in place. Let's multifactor authentication. Let's go to the next guy.

00;21;07;24 - 00;21;18;11
Brandon Gettert
Let's go to the next company. Oh they've got intrusion detection in place. Let's just go to the net. Let's find let's find that low hanging fruit. It's really about the low hanging fruit. So that's that. Go ahead.

00;21;18;13 - 00;21;22;16
Craig Andrews
Do you consider social engineering a cybersecurity issue.

00;21;22;18 - 00;21;47;14
Brandon Gettert
I consider social engineering awareness training. So I look at that as maybe not a cybersecurity. It's all it's all packaged together like it's called defense in depth. There isn't one thing that's going to protect you. It's a multiple things kind of like an onion. There's multiple layers to it. And social engineering has its place. I'm I'm for it.

00;21;47;14 - 00;21;54;21
Brandon Gettert
Some people are not for it the way I am. But our employees are the weakest link.

00;21;54;24 - 00;21;58;27
Craig Andrews
And looks like just for those aren't familiar. What is social engineering?

00;21;58;29 - 00;22;18;01
Brandon Gettert
social engineering is when bad actors try to trick you into giving them information. So that's either through email. Click on this link. Or like we get these text messages that come through. I just got one the other day that came with it. I was like, is this real? It was your Amazon driver sent you a message? Click on this link.

00;22;18;01 - 00;22;38;20
Brandon Gettert
So social engineering is just trying to get information. I was like, what I think they're trying to get my Amazon credentials is what's happening here. That's what I assumed happened. I don't really know. I think anything that comes through text messages, the text message and SMS message, I look at that outside of communication. I'm not doing any business through that.

00;22;38;23 - 00;22;45;23
Brandon Gettert
So it's just the fraudulent attempt to get your private information, your credentials, so you can they can log in.

00;22;45;26 - 00;22;56;16
Craig Andrews
Yeah. So well and I've had things come through that that look like they're authentically from Microsoft, you know, and think it's.

00;22;56;19 - 00;23;20;17
Brandon Gettert
Yeah. And that works because 99% of America uses Microsoft for business. So it's a great campaign. It's a great campaign. The bad guys know what they're doing. It's a really good campaign because like, oh, I got to log in. I got to put my Microsoft credentials in. So I have a talk. One of my talks that I talk about is let's walk through it.

00;23;20;20 - 00;23;42;05
Brandon Gettert
Let's get on the dark web. Let's get on that magical place which we're not going to go to in this talk. But let's get on the dark web. Let's go to a marketplace. Let's buy a list of email addresses. Let's look for a ransomware as a service campaign company. Let's figure out, okay, how easily can we draft up a campaign and make it look like it's an actual Microsoft email address?

00;23;42;07 - 00;24;01;02
Brandon Gettert
And so and then let's walk through deploying it, and then let's walk through what it looks like on the on our end like that. Right. There's a whole talk and there's a lot of questions that come with a lot of that. And I know I just threw a lot out, but that's a really good training tool for everybody in the room because they're like, oh, who are the adversaries that we fear?

00;24;01;04 - 00;24;30;25
Brandon Gettert
Is it nation state funded cybersecurity attack hackers, or is it the high school kid that was at home sick? Not that I want to get. Yeah, home. Home. Not at school. Watching YouTube videos on day on all day. On how to get on the dark web, how to get ransomware as a service because that's a threat. Now, how to buy list of email addresses and then how to set up a little crypto exchange and then how to deploy it and just we'll just see what hits.

00;24;30;28 - 00;24;32;29
Brandon Gettert
We'll just see what information we guess what's.

00;24;33;05 - 00;24;36;12
Craig Andrews
So you've said this a couple times what's what's ransomware as a service.

00;24;36;14 - 00;25;01;14
Brandon Gettert
So ransomware as a service is basically the as a service solutions. Are you you hire somebody for their expertise. So basically you're just going to hire somebody to be the ransomware deployment platform for you. So hey, here's my list of email addresses that I want to send ransomware to. They will walk you through how to do that.

00;25;01;17 - 00;25;24;28
Craig Andrews
Yeah, I I've, I've heard that there are actual companies that have full development teams, and they're basically running an affiliate program. You get their ransomware deployed, you get you have a specific token. And when somebody pays out the ransomware, they get their cut of the ransomware and they give you your cut of it. Just getting being able to pass that system.

00;25;25;01 - 00;25;45;17
Brandon Gettert
Yeah, it's it's really interesting. Everybody wants a piece of that pie. And so yeah, crime I mean it pays. And as long as people keep paying whole other conversation on do you pay, do you not pay. That really gets into you like your business. Like yeah. Like here's a situation like if, if we get shut down today from ransomware, it's what do we do?

00;25;45;19 - 00;26;05;14
Brandon Gettert
Do we pay? Do we recover from backups? What's the process? And a lot of what we do is prepare and have those conversations. And like we mentioned, roundtable exercises will come in. My company will come in and we'll do a roundtable exercise where we're like, hey, let's just shake that tree, let's see what falls out and see we might not need to do anything.

00;26;05;15 - 00;26;26;13
Brandon Gettert
Like we kind of we accept that risk, but, oh, you know what? There's some gaps over here. Let's let's put these controls in place to reduce that risk a little bit. And it's it's a really great exercise. we do that for business continuity and ransom or incident response to two different things. Incident response is more data related.

00;26;26;15 - 00;26;32;25
Brandon Gettert
Business continuity is like keeping the business running from earthquake. Tornado, tsunami.

00;26;33;03 - 00;26;41;27
Craig Andrews
So who do you who do you typically work with? Do you work with smaller businesses midsize or large?

00;26;42;00 - 00;27;11;20
Brandon Gettert
Great question. I work with really my a majority of our work is in the financial sector because we're regulated. It's no one's going to bring me in just, oh, here's this extra expense to make us more secure. That just doesn't work that way. I'm only brought in after insurance has required you to have me, or you've had a breach or you've been somewhere that's worked in financial, and then you've pivoted out, and now you're in software development or, law firms.

00;27;11;23 - 00;27;23;22
Brandon Gettert
So majority of my work are financial institutions. I have a couple soft we have a couple of software companies, software development companies, a couple fintechs and then law firms.

00;27;23;24 - 00;27;49;23
Craig Andrews
Yeah. You know, one thing I don't think a lot of people realize is, you know, when the internet was started, it it it was relatively, you know, insecure. They just, you know, didn't think to put a lot of these systems in. And, you know, I started learning Unix in 91. And, you know, this is when I was in university and, you know, everybody had a Unix terminal.

00;27;49;26 - 00;28;12;05
Craig Andrews
And I remember them teaching, they gave us guide of, hey, you can find that we're where one of your buddies is on campus just by using the finger command. And if it will tell you which lab they're in and all that. And I thought, well, that's pretty cool. And I had a brother in law, I went to school in Raleigh, North Carolina, had a brother in law that was, living and working in Houston, Texas.

00;28;12;07 - 00;28;32;22
Craig Andrews
And I thought, well, let me try fingering him by his email. And I was able to go straight in to their system and it was, well, tell fairly large, you know, telecom was able to go straight into their system and see if he was at his desk. And I was like, well, this is pretty cool. And I would do that.

00;28;32;22 - 00;28;50;11
Craig Andrews
And if he was there, I'd reach out to him. And one day, all of a sudden I noticed access got blocked. I asked him to say what happened. He said, I set off some security alarms, and so I was an unwitting hacker from the early days, just because they didn't build it to be secure.

00;28;50;14 - 00;29;05;01
Brandon Gettert
Why would they think, yeah, yeah, you you know what you did? You bettered their process. You made them a better company. You protected them from something that it's a good job with. Be a proactive fighter in the cyber. Cyber cause cyber security cause.

00;29;05;04 - 00;29;19;03
Craig Andrews
So you typically work with people who are regulated. Their insurance requires that they be, they have, a plan in place. What type of so banks is one what what are some other examples?

00;29;19;05 - 00;29;40;16
Brandon Gettert
banks, credit unions, they're they're really the the two that are under governance. You know, they got to keep their bank charter. They so a lot of companies that that I would work with is they're small, like they're small community banks. They, they don't they don't have the funding for a full time CSO. They don't they don't need a full time CSO.

00;29;40;16 - 00;30;03;14
Brandon Gettert
They just need some framework, some repeatable stuff in place every year. And that's where it's a niche market that we fit. It's a great it's very good. And it's there's a lot of runway for this type of work too, because a lot more companies like banking has really been ahead of the curve of like you don't hear of banks getting ransomware and knock on wood, I don't want to throw that out there in the universe.

00;30;03;20 - 00;30;29;18
Brandon Gettert
Kind of wish I could take that back. But small community banks, credit unions, they're they've benefited from governance and regulation. And so they, you know, they have to be at baseline. That's part of the deal. They have regulators coming in to make sure that they're protecting the bank's data, the the bank's customers data and all that. So they you know, they're not they're not the ones getting hit real hard right now.

00;30;29;20 - 00;30;43;00
Craig Andrews
Yeah. Well, who do you see being the next big area where, you know, your services will start rolling out to.

00;30;43;03 - 00;30;55;01
Brandon Gettert
So. That, I don't know, I have opinions and here's.

00;30;55;03 - 00;31;31;18
Brandon Gettert
I think, fintech, I think the new all the new technology companies coming out, I think before they can sell their services to anybody that they have to go through a third party, they have to have governance and they have to have an information security program in place. I think that'll be the next trend, because banks, for example, before we can even onboard a new third party vendor, they we we have to run them through a vendor management program and make sure, okay, do you have these controls in place to protect our data?

00;31;31;20 - 00;31;52;29
Brandon Gettert
That's the bank's data. Because we're we're we're at this standard that a lot of a lot of great cowboy developers out there. I'm not discrediting that at all. But a lot of that is push to market. And then security is bolted on afterwards. And I see that time and time again. Well, there's going to be a point where it's all right.

00;31;52;29 - 00;32;07;03
Brandon Gettert
We just can't onboard you. You just don't have the controls in place. Like great software. We love what we're hearing. We just can't take that risk because you don't have this piece. And so I think that that's going to be the next piece is the the software shops.

00;32;07;05 - 00;32;20;14
Craig Andrews
Well so what about those are listening that are saying, hey I'm, I'm not bank, I'm not regulated. I'm not required to do any of this. What would your advice to them be?

00;32;20;16 - 00;32;47;17
Brandon Gettert
Go look at Sis controls. Like like what we do is public knowledge. What? Like what an information security officer does. And Sis is probably the they have 20 controls that you can put in place. It's, the Sis framework. computer. Man, I don't want to butcher this, but I think it's computer information systems. But they have a list of 20 controls you can put in place.

00;32;47;20 - 00;32;55;09
Brandon Gettert
Implement those controls. That's that's what you can do. Follow that right there. That puts you at baseline.

00;32;55;12 - 00;33;23;29
Craig Andrews
Yeah. And kind of circling around if, if you could do something because this is a problem that I see basically, you know, for some of the clients that we've worked with who sell things like, cyber liability insurance, everybody knows it's a problem. Nobody thinks they're going to be hit. Nobody takes action. They it doesn't become a priority until they get ransomed.

00;33;24;02 - 00;33;27;14
Brandon Gettert
Yeah. Those purse strings open up after that.

00;33;27;17 - 00;33;34;27
Craig Andrews
Yeah. What would you tell these people are like, I'm not a threat.

00;33;35;00 - 00;33;56;01
Brandon Gettert
here are the facts. You've been informed. That's what I tell them is okay. I mean, as long as you're prepared for it. Okay. Do you backups, are your backups safe? Can you restore from backups? Like, how long can your business be down? It's. Leaning on a business continuity or an incident response exercise. One thing I like to do is I want to take the decision maker out of the room.

00;33;56;04 - 00;34;14;10
Brandon Gettert
That individual could be on a cruise and not available during this. What are we going to do? And if your business can go down for four or 5 or 6 days and then just recover a week later and customers are fine with that, you may not need that type of redundancy. So don't. That's a business expense you don't need.

00;34;14;10 - 00;34;36;05
Brandon Gettert
And that's what we find. Back to that CIA triad, that availability pieces. And we really can be down for 4 or 5 days. It's like okay, great. We don't need to focus on availability. Let's just focus on confidentiality and integrity. And so it's just figuring out what's what's best for the business. And that's really what it's about. Like I we're not going to come in.

00;34;36;08 - 00;34;54;29
Brandon Gettert
Nobody should come in and be like, you need to do this, this, this, this, this, this, this, and here's this expense and here's this expense and here's this expense. That's not how small businesses work. Like, it's not a we're here to manage those dollars. And so I think that there's going to be a shift. Here's another ship. Here's another prediction.

00;34;54;29 - 00;35;25;15
Brandon Gettert
And I could be way off based on this. So I hope nobody in the comments comes back and in they yell at me later for you're wrong on this cyber insurance getting covered to have like insurance companies are going broke. And so like they have really ratcheted up. You have to have all these controls in place. Well, they're making it to the point where, you know what, maybe I'll self-insure maybe I'll just accept it, that I'm not going to have cyber insurance, because the reality is you're not going to.

00;35;25;17 - 00;35;44;16
Brandon Gettert
There's been some cases where they're in the business of not paying just standard insurance, like it's not our problem, this this control. You said on your questionnaire when we gave you cyber insurance that you had these controls in place. Well, as it turns out, you did not. Now this policy's null and void, but what's the point of even having insurance if we're going to live that life?

00;35;44;16 - 00;36;05;00
Brandon Gettert
Let's not even pay the insurance policy. So those are the conversations I'm having now is do we want to have insurance or not? But we can't if we stretch the truth on the questionnaire because they're not like sending someone from the insurance company down and validating what we're doing. We're filling out a questionnaire saying, yes, we have MFA.

00;36;05;00 - 00;36;28;22
Brandon Gettert
Yes, we have backups, yes, we have network segmentation. Yes, we have all these controls in place. Users are not administrators on computers. All baseline stuff from those SES controls. I talked about. But if they have an event, they get ransomware. They find out that you you didn't give us the the truth on the questionnaire. This policy's no good.

00;36;28;27 - 00;36;53;26
Brandon Gettert
So one of the things I do every year for the clients that we we handle, it's a real simple question. Here's what the listeners can walk away from here with this podcast. This with this is ask your insurance agent when you're renewing every year is if I get ransomware, am I covered? And then yes, but well, what's the but I want to walk down that road.

00;36;53;26 - 00;37;12;25
Brandon Gettert
I want to know what I truly have. And then the other one is business email compromise. And that's where we're talking about where phishing is, where one of my employees gave out their username and password, and MFA code in a bad guy got into their mailbox. Now we got to do forensics on the mailbox. We got to figure out what information was in the mailbox.

00;37;12;25 - 00;37;38;11
Brandon Gettert
Do we have retention on the mailbox? And if that event happens, am I covered? Because that's probably what I'm concerned about is ransomware business email compromise first, ransomware second. And it's even getting worse now because now the bad actors they're doing, it's not just ransomware, one, they're getting in, they're sitting dormant and they're waiting. They're slowly extracting data.

00;37;38;13 - 00;37;59;12
Brandon Gettert
And then once they have the data, now it's double extortion because they're like, hey, one more ransom, okay? We're locking you down and we have your data. So now you have to pay us to get the data back. And two, if you don't pay, we're going to go after the customers that are in this data that we find we're going to figure out what's the data is we're going to go find them and tell them.

00;37;59;14 - 00;38;26;23
Brandon Gettert
And now you got reputational risk. So it gets real, real scary real fast rule hairy real fast. So there's a lot of there's a lot of conversations. And that's why it needs to be a boardroom initiative. And we need to bring in. like that's in a whole other scope is I need a champion on the board. I need somebody that is pro cybersecurity because we need it.

00;38;26;24 - 00;38;44;15
Brandon Gettert
We need direction from the top. We need executives that, like, we can't build a cyber security program from the bottom and work our way up. There's too many roadblocks. But if we have that initiative from the top of, hey, guys, we want to be at baseline. The CIA's controls, we want to meet those 20 controls. Let's do it.

00;38;44;18 - 00;38;46;20
Brandon Gettert
Here's the roadmap. Here's the plan.

00;38;46;22 - 00;39;15;18
Craig Andrews
Yeah. Well, I, I do hope people will take action. I, I heard a story of a dry cleaner, not a chain of dry cleaners, just a single location that got ransomed. And if a single dry cleaner, which, you know, if you've ever been in one, you know, they have hundreds or thousands of garments and all of a sudden they can't find because they can't find the location for the garment.

00;39;15;20 - 00;39;30;05
Brandon Gettert
Yeah. It's such a disruption. My, my vet actually got shut down. There's a lot of vets that got shut down, mine that got shut down a while back and yeah, it's chaos. What do you do. Like what do you do, what do you do? You know.

00;39;30;07 - 00;39;35;22
Craig Andrews
I think I think one thing they should do is call you. How do they how do people reach you?

00;39;35;24 - 00;40;06;11
Brandon Gettert
So our our website's a great place. Curated cyber.com. you can follow us on LinkedIn. We have a we're just now starting this whole we're making videos and we're like one of the videos that I'm in the process of making here this week is I want to talk about, sextortion. And what's happening is kids in high school usually just like dudes, usually the guys, they're getting hit up by these girls, and then all of a sudden they're being talked into sending nudes and send.

00;40;06;11 - 00;40;22;20
Brandon Gettert
I'm going to send you a nude. You send me a nude. Well, now all of a sudden, these bad guys are okay. Actually, I'm not a girl. I'm. I'm from a dirty call center. And I got your nudes now, and I'm going to send them to your whole family on Facebook. If you don't send me, you know, two, three, 4 or $500.

00;40;22;20 - 00;40;27;26
Brandon Gettert
So, like, we're seeing those type of,

00;40;27;29 - 00;40;41;08
Craig Andrews
Yeah. No, it's it's scary. It's scary. It's a it's an important issue. All right. I really appreciate you bringing it here to leaders and legacies. I do hope people reach out to you. And once again, how did they reach you?

00;40;41;11 - 00;40;59;07
Brandon Gettert
Well, our website curated cyber com. You can find us on LinkedIn as well. Curated cyber on LinkedIn. you can email us at VC. So at Curated Cyber Attack. Com that goes to the information security officer. Is it curated cyber. So this was great. Thank you for having me on. There was so much more I wanted to talk about.

00;40;59;07 - 00;41;00;20
Brandon Gettert
We could talk for hours.

00;41;00;20 - 00;41;05;25
Craig Andrews
So, Yeah. No. Fascinating. Thank you Brandon. Thank you very much.

00;41;05;27 - 00;41;08;16
Brandon Gettert
All right. Thank you.

00;41;08;16 - 00;41;37;12
Craig Andrews
This is Craig Andrews. I want to thank you for listening to the Leaders and Legacies podcast. We're looking for leaders to share how they're making the impact beyond themselves. If that's you, please go to Alize for me.com/guest and sign up there. If you got something out of this interview, we would love you to share this episode on social media.

00;41;37;14 - 00;42;00;26
Craig Andrews
Just do a quick screenshot with your phone and text it to a friend, or posted on the socials. If you know someone who would be a great guest, tag them on social media and let them know about the show, including the hashtag leaders and legacies. I love seeing your posts and suggestions. We are regularly putting out new episodes and content to make sure you don't miss anything.

00;42;00;28 - 00;44;11;12
Craig Andrews
Please go ahead and subscribe your thumbs up! Ratings and reviews go a long way to help promote the show. It means a lot to me. It means a lot to my team. If you want to know more, please go to Alize for me.com. or follow me on LinkedIn. Thanks for listening. We'll see you next time.